!currContainer->hasTransformRelatedProperty() |
||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6462017561165824 Fuzzer: marty_html_twiddler Job Type: linux_debug_chrome Platform Id: linux Crash Type: ASSERT Crash Address: Crash State: !currContainer->hasTransformRelatedProperty() blink::LayoutObject::offsetFromAncestorContainer blink::LayoutBoxModelObject::pushMappingToContainer Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_chrome&range=370165:370699 Minimized Testcase (0.46 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv94HIpG2dz0T2VRAEQQ6pqgFCrfA5Wrf8YJm-UN1AVl62-YN4ShlOC1IdA4kQ_tPDKgNBMXkcqUUT3gIwVpZ-UgXIFnEOrNOyGu14Qr6QFnd-F9FcHidLrKs9vQPCqB4Vb8Cbg4w0Jj128TE1XSkZjdOB5ff1Q?testcase_id=6462017561165824 <style> .c9 { overflow: auto; -webkit-transform: rotate3d(0, 1, 0, 45deg); } .c9:last-of-type { display: table-row; } .c12:last-of-type { position: fixed;</style> <script> var nodes = Array(); nodes[79] = document.createElement('fieldset'); nodes[79].setAttribute('class', 'c12'); nodes[98] = document.createElement('legend'); nodes[98].setAttribute('class', 'c9'); document.documentElement.appendChild(nodes[98]); nodes[98].appendChild(nodes[79]); </script> Filer: mmohammad See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 19 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Dec 22 2016
ClusterFuzz testcase 6462017561165824 is flaky and no longer reproduces, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
||||
►
Sign in to add a comment |
||||
Comment 1 by mmohammad@chromium.org
, Jul 13 2016Components: Blink>Layout